Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp3940571pxb; Sun, 27 Mar 2022 08:39:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyYxCh35lfy+D522ESRww2bX882z1EDWsfk4AdY2aM+c01ckm0K+sGNXpaN1BGt5O8Pvnp6 X-Received: by 2002:a05:6402:4391:b0:419:2f2d:a1da with SMTP id o17-20020a056402439100b004192f2da1damr10827197edc.298.1648395546880; Sun, 27 Mar 2022 08:39:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648395546; cv=none; d=google.com; s=arc-20160816; b=u+NWZIVbzPZHmLBaso0ofrNgRF3L9FLncMCjAP3I2W7vTmexk//MWwqCpJCDATTHo7 ZV2zepSGK2Hfv9JbAu1iM8f8rbGmAWo2gNOIO2mNFcCyiiFLVvJfmsXiNtHR3jJKPllb +Ru+CTSYL6gtqcjULGVVBiFlXRw2/bsmOKiqh6ayTpCwJY+uXVGcKOJN173YoxJdZ1Yb it/X5DryO9f+KA4qpL0LorgVyIODCFs+MZ0ypGUlwl7RP6uSG+738VUEsS9rzFO/aVE0 18HVqittiF1YY32wGtTJQbnVQmukJRDAzYUfL6HIOO9VvvdMDvUsZ4CgbV1yglW2ZHJX xijg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=yKH6U0aY4AB0l+O3bRcvRzZSzrvb0v5j6aRvFByLTeA=; b=mWbXscJLr5aV8RW+DiP1XH3yXqEcqTBx+NhgyIqxe+GYFjXYBy79W9C0TENT27Gcde x9gzSy3xTuemGcmkj+WsB+kX9RM8hH6w1gKPx+xBjiwy+9yUllT/x4uDFAaxw/4dfvcx FIUbQUjmHeT5F7JU+YtWvyJARdQdNlvF+/P/gbbS4AdtWVs0boKMHvG6/x89QJdbVyJw NTGqzSx0s/LaL6vGzUD5Gq6oIPb1keo0ynFQhqRhn74nnmIxShKpvVPiRmvzd/RWKHmb d5aE+FD4fP/lURpUiT4vISMjr1FEPvMtH9QeNqvFcTSithIEe7Mycy2LwfTXSeXqQc/t R0gw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=NXzGAqNI; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bs3-20020a170906d1c300b006df76385d2bsi10879510ejb.459.2022.03.27.08.38.56; Sun, 27 Mar 2022 08:39:06 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=NXzGAqNI; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234663AbiC0MRA (ORCPT + 23 others); Sun, 27 Mar 2022 08:17:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48174 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233166AbiC0MQ5 (ORCPT ); Sun, 27 Mar 2022 08:16:57 -0400 Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.241.179]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D92537A0B for ; Sun, 27 Mar 2022 05:15:18 -0700 (PDT) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 8B27AED73 for ; Sun, 27 Mar 2022 23:15:15 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1648383315; bh=yKH6U0aY4AB0l+O3bRcvRzZSzrvb0v5j6aRvFByLTeA=; l=3417; h=Date:From:To:Subject:From; b=NXzGAqNIOQR/V4hPyF2rIN8UJvk7gDOtg42L1wqmC67TQ1stZdsan9Z+C5iP2EfMf sm5OgVe8B5A7k4wakSt8QYFoYYnF5WFmVDRQqvi5V7Lsq/qu3V2AIxNzMrcYPGuOMQ hxvv2JVeDcMamq7BBsukUrcZxrM6X4TjGWlGju38= Received: by xev.coker.com.au (Postfix, from userid 1001) id 18BF0179D0DD; Sun, 27 Mar 2022 23:15:11 +1100 (AEDT) Date: Sun, 27 Mar 2022 23:15:11 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] new sddm V2 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This patch addresses all previous issues and I think it's ready to merge. Signed-off-by: Russell Coker Index: refpolicy-2.20220326/policy/modules/services/xserver.te =================================================================== --- refpolicy-2.20220326.orig/policy/modules/services/xserver.te +++ refpolicy-2.20220326/policy/modules/services/xserver.te @@ -62,6 +62,10 @@ gen_tunable(xserver_object_manager, fals ## gen_tunable(xserver_allow_dri, false) +# for sddm to use pam for greeter +role xdm_r; +allow system_r xdm_r; + attribute x_domain; # X Events @@ -145,6 +149,7 @@ fs_associate_tmpfs(xconsole_device_t) files_associate_tmp(xconsole_device_t) type xdm_t; +role xdm_r types xdm_t; type xdm_exec_t; auth_login_pgm_domain(xdm_t) init_domain(xdm_t, xdm_exec_t) @@ -843,6 +848,9 @@ manage_files_pattern(xserver_t, xdm_tmp_ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +# for sddm to use pam for greeter, sddm greeter needs execmod +allow xdm_t xdm_tmpfs_t:file execmod; + # Run Xorg.wrap can_exec(xserver_t, xserver_exec_t) @@ -1009,3 +1017,6 @@ allow xserver_unconfined_type { x_domain allow xserver_unconfined_type xextension_type:x_extension { query use }; allow xserver_unconfined_type { x_domain xserver_t }:x_resource { read write }; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } { send receive }; + +# for sddm to use pam for greeter +gen_user(xdm,, xdm_r, s0, s0) Index: refpolicy-2.20220326/config/appconfig-mcs/seusers =================================================================== --- refpolicy-2.20220326.orig/config/appconfig-mcs/seusers +++ refpolicy-2.20220326/config/appconfig-mcs/seusers @@ -1,2 +1,3 @@ root:unconfined_u:s0-mcs_systemhigh __default__:unconfined_u:s0-mcs_systemhigh +sddm:xdm:s0 Index: refpolicy-2.20220326/config/appconfig-mcs/xdm_default_contexts =================================================================== --- /dev/null +++ refpolicy-2.20220326/config/appconfig-mcs/xdm_default_contexts @@ -0,0 +1 @@ +system_r:xdm_t:s0 system_r:xdm_t:s0 Index: refpolicy-2.20220326/config/appconfig-mls/xdm_default_contexts =================================================================== --- /dev/null +++ refpolicy-2.20220326/config/appconfig-mls/xdm_default_contexts @@ -0,0 +1 @@ +system_r:xdm_t:s0 system_r:xdm_t:s0 Index: refpolicy-2.20220326/config/appconfig-standard/xdm_default_contexts =================================================================== --- /dev/null +++ refpolicy-2.20220326/config/appconfig-standard/xdm_default_contexts @@ -0,0 +1 @@ +system_r:xdm_t system_r:xdm_t Index: refpolicy-2.20220326/config/appconfig-mls/seusers =================================================================== --- refpolicy-2.20220326.orig/config/appconfig-mls/seusers +++ refpolicy-2.20220326/config/appconfig-mls/seusers @@ -1,2 +1,3 @@ root:root:s0-mls_systemhigh __default__:user_u:s0 +sddm:xdm:s0 Index: refpolicy-2.20220326/config/appconfig-standard/seusers =================================================================== --- refpolicy-2.20220326.orig/config/appconfig-standard/seusers +++ refpolicy-2.20220326/config/appconfig-standard/seusers @@ -1,2 +1,3 @@ root:root __default__:user_u +sddm:xdm:s0